Re: Ezvpn traffic encryption problem from jeremy co on 2009-04-26 (Ccielab archives 04/2009)

From: jeremy co <jeremy.cool14_at_gmail.com>
Date: Mon, 27 Apr 2009 01:53:10 +1000

Joeseph,

I guess the guy who wrote this document on Cisco support page didn't do CCIE
RS first as well as me.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bd6.pdf

"ip route 200.0.12.0 255.255.255.0 Ethernet0/0" ,Search this doc about this
funny route!!!!!!!!

Jeremy

On Sun, Apr 26, 2009 at 8:26 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> Have you done the CCIE R/S first???
>
> "ip route 200.0.12.0 255.255.255.0 Ethernet0/0"
>
> You're joking with this route, right?
>
> Try
>
> ip route 200.0.12.0 255.255.255.0 200.0.14.1
>
> Next,
>
> I think you want your crypto acl for the vpn group to look like this;
>
> ip access-list extended ezvpnacl
> permit ip 200.0.12.0 0.0.0.255 192.168.0.0 0.0.0.255
>
> Thanks,
>
> Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> jeremy co
> Sent: Sunday, April 26, 2009 5:02 AM
> To: Cisco certification
> Subject: Ezvpn traffic encryption problem
>
> Hi,
>
> Consider this Ezvpn scenario:
>
> No traffic is encrypted when I ping from SW2 (200.0.48.8) to int of R1
> (200.0.12.1)
>
> split tunnel passed to client, so why id doesn't encrypt traffic?
>
> ************************************************************************************************************************************************************************************
>
> R2---(.12)-----R1-----(.14)--------R4----------(.48)-------SW2
> server client
>
> 200.0.XX.YY
>
>
> aaa authentication login default none
> aaa authentication login EZVPN_AUTHEN local
> aaa authorization network EZVPN_ATHOR local
>
> !
> username user1 privilege 15 password 0 cisco
> !
> !
> !
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp client configuration address-pool local R4Pool
> !
> crypto isakmp client configuration group EZVPN
> key cisco
> pool R4Pool
> acl 148
> !
> !
> crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
> !
> crypto dynamic-map DYNAMIC 10
> set transform-set TS1
> reverse-route
> !
> !
> crypto map CRYPTO client authentication list EZVPN_AUTHEN
> crypto map CRYPTO isakmp authorization list EZVPN_ATHOR
> crypto map CRYPTO client configuration address respond
> crypto map CRYPTO 10 ipsec-isakmp dynamic DYNAMIC
> !
> !
> ip local pool R4Pool 192.168.0.1 192.168.0.254
> !
> access-list 148 permit ip 200.0.48.0 0.0.0.255 any
> !
>
>
> *****************************************************************************
> Client :
>
> crypto ipsec client ezvpn EZVPN_GP
> connect manual
> group EZVPN key cisco
> mode client
> peer 200.0.14.1
> xauth userid mode interactive
> !
> !
> interface Ethernet0/0
> ip address 200.0.14.4 255.255.255.0
> half-duplex
> crypto ipsec client ezvpn EZVPN_GP
> !
> interface Ethernet0/1
> ip address 200.0.48.4 255.255.255.0
> half-duplex
> crypto ipsec client ezvpn EZVPN_GP inside
>
> ip route 200.0.12.0 255.255.255.0 Ethernet0/0
>
> Rack1R4#sh crypto ipsec client ezvpn
> Easy VPN Remote Phase: 4
>
> Tunnel name : EZVPN_GP
> Inside interface list: Ethernet0/1
> Outside interface: Ethernet0/0
> Current State: IPSEC_ACTIVE
> Last Event: SOCKET_UP
> Address: 192.168.0.3
> Mask: 255.255.255.255
> Save Password: Disallowed
> Split Tunnel List: 1
> Address : 200.0.48.0
> Mask : 255.255.255.0
> Protocol : 0x0
> Source Port: 0
> Dest Port : 0
> Current EzVPN Peer: 200.0.14.1
>
> Rack1R4#sh crypto ipsec sa
>
> interface: Ethernet0/0
> Crypto map tag: Ethernet0/0-head-0, local addr 200.0.14.4
>
> protected vrf: (none)
> local ident (addr/mask/prot/port): (192.168.0.3/255.255.255.255/0/0)
> remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
> current_peer 200.0.14.1 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 0, #recv errors 0
>
>
>
> Regards,
>
> Jeremy
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 27 2009 - 01:53:10 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART